| Age | Commit message (Collapse) | Author |
|---|
|
This is policy that allows certain non UDP
or TCP IP sockets to occur. Addresses the
following denials.
avc: denied { create } for pid=660 comm="netmgrd" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=rawip_socket
avc: denied { setopt } for pid=660 comm="netmgrd" lport=58 scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=rawip_socket
avc: denied { write } for pid=660 comm="netmgrd" lport=58 scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=rawip_socket
Change-Id: I5208753e9703f248f3662e73f1f0bfcc9ce2c107
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
|
|
Add raw sockets and netlink sockets policy to
address the following denials.
avc: denied { nlmsg_read } for pid=21815 comm="ip" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=netlink_route_socket
avc: denied { nlmsg_write } for pid=21815 comm="ip" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=netlink_route_socket
avc: denied { create } for pid=22054 comm="netmgrd" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=packet_socket
avc: denied { bind } for pid=22054 comm="netmgrd" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=packet_socket
avc: denied { write } for pid=22054 comm="netmgrd" scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=packet_socket
avc: denied { read } for pid=22054 comm="netmgrd" path="socket:[61557]" dev="sockfs" ino=61557 scontext=u:r:netmgrd:s0 tcontext=u:r:netmgrd:s0 tclass=packet_socket
Change-Id: I7b6d85d764fd55f471585b91985a357034f255ac
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
|
|
Allow netmgrd to talk to init over the property
socket and set net.rmnet values. This will address
the following denials.
avc: denied { write } for pid=20064 comm="netmgrd" name="property_service" dev="tmpfs" ino=8248 scontext=u:r:netmgrd:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file
avc: denied { connectto } for pid=650 comm="netmgrd" path="/dev/socket/property_service" scontext=u:r:netmgrd:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket
avc: denied { set } for property=net.rmnet_usb0.dns1 scontext=u:r:netmgrd:s0 tcontext=u:object_r:radio_prop:s0 tclass=property_service
Change-Id: I2913cd6c0011531507f6fab06daa1178abb5d006
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
|
|
Recent changes have obsoleted the need to call
restorecon on any of /data files and dirs. This
patch drops those restorecons from the file.
Also use a global macro where appropriate.
Change-Id: Id3322180cfe431a4065cfd39046711d7ddfd9f31
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
|
|
Change-Id: Ib563b78cb1e14ca791ad8a505c14846ffd074949
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
|
|
|
|
Deb is currently failing to boot with the following denial:
<5>[ 9.197357] type=1400 audit(1393266095.704:12): avc: denied { search } for pid=266 comm="qcks" name="/" dev="mmcblk0p1" ino=1 scontext=u:r:kickstart:s0 tcontext=u:object_r:sdcard_external:s0 tclass=dir
Revert while I investigate it.
This reverts commit e68c94dd3b9130eaa5555eea4236fff03b711e77.
Bug: 13168366
Change-Id: I6241055854e623a6e74e3248311c3222f8ad83b6
|
|
Also just remove all specific domain access and instead
allow diag_device access for all domains on the
userdebug/user builds.
Change-Id: I2dc79eb47e05290902af2dfd61a361336ebc8bca
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
|
|
Allow r/w access to /dev/diag on userdebug/eng builds.
avc: denied { read write } for pid=204 comm="rild" name="diag" dev="tmpfs" ino=8404 scontext=u:r:rild:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file
avc: denied { open } for pid=204 comm="rild" name="diag" dev="tmpfs" ino=8404 scontext=u:r:rild:s0 tcontext=u:object_r:diag_device:s0 tclass=chr_file
Grant radio sockets access to rild.
avc: denied { write } for pid=323 comm="rild" name="qmux_radio" dev="tmpfs" ino=1053 scontext=u:r:rild:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=dir
avc: denied { write } for pid=323 comm="rild" name="qmux_connect_socket" dev="tmpfs" ino=1309 scontext=u:r:rild:s0 tcontext=u:object_r:qmuxd_socket:s0 tclass=sock_file
avc: denied { connectto } for pid=323 comm="rild" path="/dev/socket/qmux_radio/qmux_connect_socket" scontext=u:r:rild:s0 tcontext=u:r:qmux:s0 tclass=unix_stream_socket
Change-Id: I89f7531fb006bfcae9f97b979fba61f3ed6badde
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
|
|
Change-Id: I52d22c9551e3608bf920d67c1debf15c505de4d2
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
|
|
Change-Id: If95807ed6adfc7064f8fb699867d23247c1675a5
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
|
|
|
|
Initial policy helps address some of the following denials:
Wake lock access:
avc: denied { append } for pid=171 comm="rmt_storage" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:rmt:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file
avc: denied { open } for pid=171 comm="rmt_storage" name="wake_lock" dev="sysfs" ino=57 scontext=u:r:rmt:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file
Capabilities (dropping uid and gid):
avc: denied { setgid } for pid=171 comm="rmt_storage" capability=6 scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=capability
avc: denied { setuid } for pid=171 comm="rmt_storage" capability=7 scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=capability
Cgroup controls:
avc: denied { add_name } for pid=171 comm="rmt_storage" name="9999" scontext=u:r:rmt:s0 tcontext=u:object_r:cgroup:s0 tclass=dir
avc: denied { create } for pid=171 comm="rmt_storage" name="9999" scontext=u:r:rmt:s0 tcontext=u:object_r:cgroup:s0 tclass=dir
Socket creation:
avc: denied { read } for pid=209 comm="rmt_storage" scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=socket
avc: denied { create } for pid=169 comm="rmt_storage" scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=socket
avc: denied { ioctl } for pid=169 comm="rmt_storage" path="socket:[7463]" dev="sockfs" ino=7463 scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=socket
avc: denied { setopt } for pid=169 comm="rmt_storage" scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=socket
avc: denied { bind } for pid=169 comm="rmt_storage" scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=socket
avc: denied { read } for pid=210 comm="rmt_storage" scontext=u:r:rmt:s0 tcontext=u:r:rmt:s0 tclass=socket
Access to certian modem and root block devices:
avc: denied { read } for pid=171 comm="rmt_storage" name="mmcblk0" dev="tmpfs" ino=6554 scontext=u:r:rmt:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
avc: denied { open } for pid=171 comm="rmt_storage" name="mmcblk0" dev="tmpfs" ino=6554 scontext=u:r:rmt:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
Change-Id: Ia01257891eb2315632cef45dde7a099c3c042432
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
|
|
The underlying bug has been fixed. Move it back to
permissive_or_unconfined()
This reverts commit a43299d411c875b30f84118ad567cf173096e30b.
Change-Id: Ic3a8f37baeffe3359b433156b5499b88735faf52
|
|
Access to m9kefs* block devices.
avc: denied { getattr } for pid=215 comm="sh" path="/dev/block/mmcblk0p5" dev="tmpfs" ino=7618 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
avc: denied { setattr } for pid=216 comm="chown" name="mmcblk0p5" dev="tmpfs" ino=7618 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
Change owner and perms on /dev/block/platform/msm_sdcc.1/by-name/m9kefs*
avc: denied { chown } for pid=216 comm="chown" capability=0 scontext=u:r:kickstart:s0 tcontext=u:r:kickstart:s0 tclass=capability
avc: denied { fowner } for pid=220 comm="chmod" capability=3 scontext=u:r:kickstart:s0 tcontext=u:r:kickstart:s0 tclass=capability
Label and give access to specific rmnet usb files.
avc: denied { write } for pid=182 comm="sh" name="rmnet_data_init" dev="sysfs" ino=4275 scontext=u:r:kickstart:s0 tcontext=u:object_r:sysfs:s0 tclass=file
Change-Id: I2a1edda0efdfc57615c56c61ee446c343d7d875b
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
|
|
User builds of deb are currently hanging on boot, due to various
kickstart denials. https://android-review.googlesource.com/81942
partially fixes this but not entirely.
Root cause is https://android-review.googlesource.com/81990
Works around the following denials:
<5>[ 6.355163] type=1400 audit(1392852942.902:4): avc: denied { getattr } for pid=202 comm="sh" path="/dev/block/mmcblk0p5" dev="tmpfs" ino=7595 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
<5>[ 6.362487] type=1400 audit(1392852942.912:5): avc: denied { setattr } for pid=208 comm="chown" name="mmcblk0p5" dev="tmpfs" ino=7595 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
<5>[ 8.621612] type=1400 audit(1392852945.174:12): avc: denied { read } for pid=259 comm="qcks" name="mmcblk0p5" dev="tmpfs" ino=7595 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
<5>[ 20.165863] type=1400 audit(1392852956.715:14): avc: denied { getattr } for pid=670 comm="ks" path="/dev/block/mmcblk0p5" dev="tmpfs" ino=7595 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
<5>[ 20.166076] type=1400 audit(1392852956.715:15): avc: denied { write } for pid=670 comm="ks" name="mmcblk0p5" dev="tmpfs" ino=7595 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
<5>[ 20.166290] type=1400 audit(1392852956.715:16): avc: denied { open } for pid=670 comm="ks" name="mmcblk0p5" dev="tmpfs" ino=7595 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
[ 6.678436] type=1400 audit(1392852716.202:5): avc: denied { getattr } for pid=206 comm="sh" path="/dev/block/mmcblk0p5" dev="tmpfs" ino=7563 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
[ 6.686309] type=1400 audit(1392852716.212:6): avc: denied { getattr } for pid=222 comm="sh" path="/dev/block/mmcblk0p5" dev="tmpfs" ino=7563 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
[ 6.691833] type=1400 audit(1392852716.222:7): avc: denied { getattr } for pid=224 comm="sh" path="/dev/block/mmcblk0p6" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
[ 6.699279] type=1400 audit(1392852716.232:8): avc: denied { getattr } for pid=226 comm="sh" path="/dev/block/mmcblk0p6" dev="tmpfs" ino=7567 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
[ 6.705566] type=1400 audit(1392852716.232:9): avc: denied { getattr } for pid=228 comm="sh" path="/dev/block/mmcblk0p7" dev="tmpfs" ino=7571 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
[ 6.711700] type=1400 audit(1392852716.242:10): avc: denied { getattr } for pid=230 comm="sh" path="/dev/block/mmcblk0p7" dev="tmpfs" ino=7571 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
[ 6.718475] type=1400 audit(1392852716.242:11): avc: denied { getattr } for pid=233 comm="sh" path="/dev/block/mmcblk0p28" dev="tmpfs" ino=7655 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
[ 6.723510] type=1400 audit(1392852716.252:12): avc: denied { getattr } for pid=235 comm="sh" path="/dev/block/mmcblk0p28" dev="tmpfs" ino=7655 scontext=u:r:kickstart:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
Bug: 13100319
Change-Id: If29e9ca63b4df946c2e3b29ec707a27a8ab79aa4
|
|
So that we do not relabel them on a restorecon -R /data.
Change-Id: Ibf51efcbe8fed395b214ee81c097c4b04d4ce335
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
|
Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29
|
|
please see external/sepolicy commit 623975fa5aece708032aaf29689d73e1f3a615e7
for details.
Change-Id: I23175a2982d7bdb962182b9b667d3767533b78d1
|
|
Same issue as device/lge/hammerhead commit
9ae16c2016141cc578a4bd7f6baa69f39e1900c9 . Screen rotation
is broken. Allowing dac_override fixes it.
Change-Id: Ia8dfb27306f543db88cf38f457c76ff3969f6943
|
|
|
|
|
|
|
|
|
|
Removed from domain so we need to add it back to individual domains
as required.
Change-Id: I902ac6f8cf2e93d46b3a976bc4dabefa3905fce6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
|
Initially unconfined and enforcing.
Change-Id: I49be1c53afb1f91836d5e49dbce84c4a0c789478
|
|
Change-Id: I3ce0b4bd25e078698a1c50242aaed414bf5cb517
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
|
|
|
|
|
Addresses the following denial:
<5>[ 134.548725] type=1400 audit(1386010731.878:48): avc: denied { execute } for pid=3603 comm="droid.gallery3d" path="/dev/kgsl-3d0" dev="t
Bug: 11967400
Change-Id: Ie7813df171bc29ae12cd394621e8e20f13bb84dc
|
|
Addresses the following denials on deb:
<5>[ 143.947113] type=1400 audit(1385421268.456:43): avc: denied { read write } for pid=2664 comm="mm-qcamera-daem" name="kgsl-3d0" dev="tmpfs" ino=7700 scontext=u:r:camera:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file
<5>[ 143.947296] type=1400 audit(1385421268.456:44): avc: denied { open } for pid=2664 comm="mm-qcamera-daem" name="kgsl-3d0" dev="tmpfs" ino=7700 scontext=u:r:camera:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file
<5>[ 143.947814] type=1400 audit(1385421268.456:45): avc: denied { ioctl } for pid=2664 comm="mm-qcamera-daem" path="/dev/kgsl-3d0" dev="tmpfs" ino=7700 scontext=u:r:camera:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file
Change-Id: I801a52d1b7677e9a18ccabcd57b2f555488ac6c9
|
|
|
|
* Make gpu_device a trusted object since all apps can
write to the device.
denied { write } for pid=3460 comm="ense_free.menus" name="kgsl-3d0" dev="tmpfs" ino=7606 scontext=u:r:untrusted_app:s0:c92,c256 tcontext=u:object_r:gpu_device:s0 tclass=chr_file
* Drop dead type mpdecision_device.
* Create policy for mm-pp-daemon and keep it permissive.
Address the following initial denials.
denied { write } for pid=220 comm="mm-pp-daemon" name="property_service" dev="tmpfs" ino=7289 scontext=u:r:ppd:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file
denied { connectto } for pid=220 comm="mm-pp-daemon" path="/dev/socket/property_service" scontext=u:r:ppd:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket
denied { read write } for pid=220 comm="mm-pp-daemon" name="fb0" dev="tmpfs" ino=8523 scontext=u:r:ppd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file
denied { open } for pid=220 comm="mm-pp-daemon" name="fb0" dev="tmpfs" ino=8523 scontext=u:r:ppd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file
denied { ioctl } for pid=220 comm="mm-pp-daemon" path="/dev/graphics/fb0" dev="tmpfs" ino=8523 scontext=u:r:ppd:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file
* Add kickstart_exec labels for kickstart binaries
that are used by deb devices.
* Add tee policy. Label /data/misc/playready and
allow tee access.
denied { write } for pid=259 comm="qseecomd" name="misc" dev="mmcblk0p30" ino=635233 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
denied { read } for pid=232 comm="qseecomd" name="/" dev="mmcblk0p30" ino=2 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
denied { create } for pid=306 comm="qseecomd" name="playready" scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
denied { search } for pid=282 comm="qseecomd" name="playready" dev="mmcblk0p30" ino=635262 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
denied { read } for pid=282 comm="qseecomd" name="playready" dev="mmcblk0p30" ino=635262 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
denied { write } for pid=265 comm="qseecomd" name="playready" dev="mmcblk0p30" ino=635262 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=dir
denied { create } for pid=252 comm="qseecomd" name="tzdrm.log" scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=file
denied { read write open } for pid=271 comm="qseecomd" name="tzdrm.log" dev="mmcblk0p30" ino=635264 scontext=u:r:tee:s0 tcontext=u:object_r:drm_data_file:s0 tclass=file
* Give surfaceflinger access to /dev/socket/pps and allow
access to certain sysfs nodes.
denied { write } for pid=181 comm="surfaceflinger" name="pps" dev="tmpfs" ino=7958 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:ppd_socket:s0 tclass=sock_file
denied { write } for pid=182 comm="surfaceflinger" name="hpd" dev="sysfs" ino=9639 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file
Change-Id: Ia7a5c63365593af7ac5adc207b27fad113b01dd3
|
|
Change-Id: Ie4f658964a9e374dfbec38b57cc9f2db8940fcea
|
|
Change-Id: Ia1744f0df3e797f12111965971cb5f006f9b346c
|
|
Change-Id: I0ebd460d121e8fa653abff829a096b48d82b62f1
|
|
Change-Id: I5e93b63498db9fbdacdb5b63ca5d03dfebeb00e0
|
|
Change-Id: Ieef883633910d73a8f09bccb912c53428998543d
|
|
Change-Id: I3b13eeeec011e80811890b88dbab179c2540e1e9
|
|
Change-Id: I9580fb6af2591a9b16a76d730b5dcedf95614cd1
|
|
Bring policy over from the mako board which
has a lot of similar domains and services.
mako is also a Qualcomm board which allows
a lot of that policy to be directly brought
over and applied.
Included in this are some radio specific
pieces. Though not directly applicable to
flo, the deb board inherits this policy.
Change-Id: I6b294c7dc830189c08f1f981a239234a2c3f577f
|
|
Labeling nodes with appropriate types doesn't
introduce any new denials to the mix. This
list largely addresses the Qualcomm specific
nodes.
Various nodes are labeled with radio specific
types. Since the deb build inherits from this flo
policy, it is a good idea to include them.
Change-Id: Ia55a80af027c8bde933d45c41f4ed287f01adb2e
|
|
Created a new label and addressed the following denials.
* For system server
denied { read write } for pid=800 comm="ndroid.systemui" name="kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
denied { open } for pid=800 comm="ndroid.systemui" name="kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
denied { ioctl } for pid=800 comm="ndroid.systemui" path="/dev/kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
* For surfaceflinger
denied { ioctl } for pid=286 comm="SurfaceFlinger" path="/dev/kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:device:s0 tclass=chr_file
denied { read write } for pid=286 comm="SurfaceFlinger" path="/dev/kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:device:s0 tclass=chr_file
* For app domains
denied { read write } for pid=800 comm="ndroid.systemui" name="kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
denied { open } for pid=800 comm="ndroid.systemui" name="kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
denied { ioctl } for pid=800 comm="ndroid.systemui" path="/dev/kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
Change-Id: I417bbd12fbdc17cd3d1110dcf3bff73dd5e385a4
|
|
00739e3d14f2f1ea9240037283c3edd836d2aa2f in external/sepolicy
moved ueventd into enforcing. This broke wifi on flo/deb.
Fix it.
This addresses the following denials:
<5>[ 219.755523] type=1400 audit(1384456650.969:107): avc: denied { search } for pid=2868 comm="ueventd" name="wifi" dev="mmcblk0p30" ino=637740 scontext=u:r:ueventd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=dir
<5>[ 219.755706] type=1400 audit(1384456650.969:108): avc: denied { read } for pid=2868 comm="ueventd" name="WCNSS_qcom_cfg.ini" dev="mmcblk0p30" ino=637747 scontext=u:r:ueventd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=file
<5>[ 219.755889] type=1400 audit(1384456650.969:109): avc: denied { open } for pid=2868 comm="ueventd" name="WCNSS_qcom_cfg.ini" dev="mmcblk0p30" ino=637747 scontext=u:r:ueventd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=file
<5>[ 219.756134] type=1400 audit(1384456650.969:110): avc: denied { getattr } for pid=2868 comm="ueventd" path="/data/misc/wifi/WCNSS_qcom_cfg.ini" dev="mmcblk0p30" ino=637747 scontext=u:r:ueventd:s0 tcontext=u:object_r:wifi_data_file:s0 tclass=file
Bug: 11688129
Change-Id: Ice0d3432010cfbbce88dd0ede013af3b2297d3d6
|
|
Don't run rmt in init's domain. /system/bin/rmt_storage
is a qualcomm specific daemon responsible for servicing modem
filesystem requests. It doesn't make sense to run rmt_storage
in init's domain, as doing so prevents us from fine tuning
its policy.
Keep the domain in permissive mode right now until we address
the following denials:
<5>[ 7.497467] type=1400 audit(1383939680.983:5): avc: denied { read write } for pid=193 comm="rmt_storage" name="mem" dev="tmpfs" ino=4010 scontext=u:r:rmt:s0 tcontext=u:object_r:kmem_device:s0 tclass=chr_file
<5>[ 7.497741] type=1400 audit(1383939680.983:6): avc: denied { open } for pid=193 comm="rmt_storage" name="mem" dev="tmpfs" ino=4010 scontext=u:r:rmt:s0 tcontext=u:object_r:kmem_device:s0 tclass=chr_file
We still need to get a better understanding of what rmt_storage
does and what rules should be applied to it.
Change-Id: I45d03fb93870f1b4bb64215f5dcd9a2a443f5566
|
|
Otherwise keystore in enforcing is broken.
Bug: 11518274
Change-Id: I10ead7cabe794d1752a8cba4dc3193217aad7805
|
